|Publication number||US20050029349 A1|
|Application number||US 10/940,920|
|Publication date||Feb 10, 2005|
|Filing date||Sep 14, 2004|
|Priority date||Apr 26, 2001|
|Also published as||EP1402343A1, EP1402343A4, US6816058, US6954133, US20020158747, US20020180584, WO2002088932A1|
|Publication number||10940920, 940920, US 2005/0029349 A1, US 2005/029349 A1, US 20050029349 A1, US 20050029349A1, US 2005029349 A1, US 2005029349A1, US-A1-20050029349, US-A1-2005029349, US2005/0029349A1, US2005/029349A1, US20050029349 A1, US20050029349A1, US2005029349 A1, US2005029349A1|
|Inventors||Christopher McGregor, Travis McGregor, D. McGregor|
|Original Assignee||Mcgregor Christopher M., Mcgregor Travis M., Mcgregor D. Scott|
|Export Citation||BiBTeX, EndNote, RefMan|
|Patent Citations (49), Referenced by (39), Classifications (29)|
|External Links: USPTO, USPTO Assignment, Espacenet|
This is a divisional application of U.S. patent application Ser. No. 09/843,572, filed Apr. 26, 2001, now U.S. Pat. No. ______.
1. Field of the Invention
The present invention relates generally to the field of credit card security, and more particularly to a bio-metric smart card, a bio-metric smart card reader and a method of use for the card and reader.
2. Description of the Related Art
Recent innovations have brought significant security-related advances to the credit card, debit card, and consumer banking industries. In the 1980s, holographic images were introduced and included on plastic card faces to deter the manufacture of counterfeit cards. More recently, some cards have been adapted to include a photograph of the authorized user, thereby obviating the need for a purchaser to present separate identification and decreasing the likelihood of fraud. Most recently, smart cards, also known as personal data cards or chip cards, which include a memory chip integral with the card, now provide additional security features.
Despite these advances, the industry remains burdened by a considerable fraud problem. Credit card theft and fraud accounts for billions of dollars in damages a year in the U.S. alone, with billions more being lost overseas. Holographic images do nothing to deter the unauthorized use of a genuine card and new technology has made them easier to copy. Sub-thumbnail sized photos on cards are often too small for careful examination by store clerks, and like holograms, cannot be viewed during online or telephone-based transactions. And smart cards provide no new security features unless used across a new breed of card-reading infrastructure, which will cost hundreds of millions of dollars to install. Moreover, like the other new technologies described above, smart cards do not address online and telephonic sales scenarios wherein the merchant lacks the ability to examine the actual card. Perhaps most importantly, since smart cards are not compatible with the existing card-reading infrastructure they do not address the near term needs of the industry and the massive on-going losses caused by fraudulent use.
In the above-described available transaction process, while recent security advances do provide some crime protection, there is still far more opportunity than desirable for deception and fraud. Specifically, if the card is lost or stolen the thief or finder of the lost card might use the card for fraudulent purchases. Also, if a thief finds or steals a receipt or similar record listing the card number and other card information found in field 112, that information might be fraudulently used for online or telephonic transactions.
There is therefore a need in the art for a new fraud-preventive system and method, which is compatible with the existing infrastructure, and can be used securely for remote, telephonic, or Internet-based transactions.
In general, the present invention is a system for increasing transaction security across existing credit card processing infrastructure. A user bio-metric sensor device is integrated into a credit or debit “smart card”. A display unit provides a key, preferably encrypted, upon successful utilization of the sensor device. Included in the key generation mechanism is an indicator of the transaction number or other sequential count indicative of card use. An authorization service decrypts the key in a manner at least partially dependent upon a second sequential count maintained in sync with the first count to determine whether the use is authorized. A separate reader may be similarly configured to read existing smart cards utilizing the process the present invention.
In one embodiment, the present invention is a smart card style apparatus including a bio-metric sensor providing the user an authentication data input for proving the user is authorized to use the account number, a transaction counter for tracking authorized device access events, a processor in electrical communication with the user authenticator and counter, wherein the processor is programmed to generate a security key in response to authentication data received via the sensor, and a display unit to display the security key on the face of the card. The security key is derived at least in part from the contents of the counter. In another embodiment, the present invention is configured as a portable reader for reading and authorizing purchases using existing smart cards. The present invention may also be configured as a peripheral device to a computer system.
According to the present invention, a method of securely authorizing a transaction utilizing an account comprises confirming an authorized use of an account card via a bio-metric sensor, maintaining a first count indicative of a number of instances of such authorized uses, generating a security key in a manner at least partially dependent upon the count, transmitting the security key to an authorizing authority, processing the security key at the authorizing authority, maintaining a second count indicative of a number of transmissions received by the authorizing authority for the account, confirming that the security key was generated by an authorized user at least in part through use of the first count and the second count, and authorizing the transaction if the security key is validated.
The present invention will be readily understood by the following detailed description in conjunction with the accompanying drawings, wherein like reference numerals designate like structural elements, and in which:
The following description is provided to enable any person skilled in the art to make and use the invention and sets forth the best modes contemplated by the inventor for carrying out the invention. Various modifications, however, will remain readily apparent to those skilled in the art, since the basic principles of the present invention have been defined herein specifically to provide a bio-metric smart card, bio-metric smart card reader and method of use. Any and all such modifications, equivalents and alternatives are intended to fall within the spirit and scope of the present invention.
One embodiment of the present invention is illustrated in
A security key display 220 is configured to display dynamic numeric and/or textual data forwarded by microprocessor 216, and intended to accompany the account number for all transactions in the manner outlined below with reference to
In a manner of use of the bio-metric smart card 210 and the present invention, a user's bio-metric indicator (here, a thumb or finger print) or another user-derived input mechanism triggers in microprocessor 216 the generation of a dynamic security key code displayed in the security key display region 220. The display region 220 preferably comprises an LED array, LCD, or other similar, low-cost display mechanism. The displayed security key is then communicated or transmitted to the credit card authorization service either through a reader, or through a telephone or other remote connection (e.g., entry by the user in a web page interface for an online transaction). The security key display region 220 is configured to display dynamic numeric and/or textual data forwarded by microprocessor 216.
More particularly, referring generally to the flowchart of
If a match is found at step 304, the microprocessor 216 increments an activation/transaction counter at step 307 and generates therewith a numeric or alphanumeric security key. The alphanumeric security key is then preferably encrypted at step 308 and forwarded at step 310 to display 220. The operator of a card reader such as magnetic strip reader 120, or a remote seller communicating with the user, then inputs or forwards at step 312 the displayed, encrypted security key along with the other information found on surface 212 and any other required information.
Upon receipt of the card information and encrypted key at an authorization service center, an authorization-side activation counter is then incremented at step 314, thereby remaining synchronized to the activation counter of the bio-metric smart card 210. The key is then decrypted at steps 316 in a manner utilizing the incremented activation count to determine at step 318 whether the authorized user initiated the requested purchase authorization. If the activation counter is sufficiently aligned with the counter reading from the card (within an allowed “window” of transaction counter numbers to allow for transactions being processed slightly out of order) and other easily understood criteria are met (i.e., sufficient credit or funds available, no lost or stolen card alert reported), an authorization signal is returned across network 125 at step 320. If any of the new or available criteria are not met, a “transaction rejected” code or signal is returned at step 322.
Referring next to
Finger print scanner 418 is accessibly disposed upon surface 412 of the card reader 410 and is connected to the microprocessor 416 to provide an input signal triggered by the user placing a thumb or finger upon the surface of the scanner 418.
The display 420 is configured to display dynamic numeric and/or textual data forwarded by microprocessor 416, and is intended to accompany the account number for all transactions in the manner outlined above with reference to
As shown in
In operation, a user inserts a credit card or smart card into the reader. Once the user places an appropriate finger or thumb on the finger-print sensor 514, the security code is generated by the microprocessor 520 and is displayed on the card reader display 512 or electronically transferred to a network. This security code may then be used to authorize a transaction as described above.
As described herein, the present invention provides a greater level of security to credit card transactions, by requiring a bio-metric input, and further by producing a unique security key code for each transaction. The present invention may be incorporated into a new smart card design, including a bio-metric sensor and a display, or may be incorporated as a portable “wallet” that can also be used with standard credit cards.
A preferred method to perform the operation of the encryption and decryption processing will now be discussed in further detail. Other procedures or algorithms may also be used in the present invention, as in well known in the art. First, the following acronyms will be defined:
As described above, the purpose of the bio-metric smart card is to authenticate the subscriber and the transaction for a credit card purchase. In order to perform the authentication, each bio-metric smart card contains a unique cryptographic key, KCARD, which is 80 bits or 10 bytes in length. Each service provider also has a unique key, KDOMAIN, which is 80 bits or 10 bytes.
KCARD is derived cryptographically from KDOMAIN respectively as follows:
KCARD=left-hand 10 bytes of SHA (KDOMAIN|BSEED)
where as KCARD is equal to the left-hand 80 bits or 10 bytes of the appropriate SHA result. BSEED is a bio-metrically generated value that is 80 bits or 10 bytes in length for each subscriber. In a preferred embodiment, the BSEED value is generated from a user's fingerprint data. The Secure Hash Algorithm, SHA, is defined in the Federal Information Processing Standards publications 180-1, herein incorporated by reference. KDOMAIN is a random value that is set by the service provider.
The authentication message is encrypted data that is communicated from the bio-metric smart card to the service provider for the purpose of authenticating the subscriber and the transaction. The bio-metric smart card communicates this message via the display on the front of the card, or the data is directly sent via IR or other wireless technology, or by a smart card reader that has an electrical connection to the network. The authentication message is comprised of base 10 values so that it will support most current infrastructures (i.e. telephone, Internet, zone machines, etc.). This message is also cryptographically designed so that the number of digits in the message will comply with industries standards (i.e. Visa, MasterCard, Amex, AT&T, MCI, etc.).
As discussed above, the authentication message contains a transaction (serial) number that is incremented for each transaction. This transaction number is incremented for each transaction so that it will only be accepted once. The transaction number is initially set to zero and when it reaches the value of 999999 the card becomes inoperable, or the transaction number is reset.
The bio-metric smart card increments the transaction number stored in the EEPROM of the card for each authentication message. The authentication message is encrypted using the KCARD encryption key and using the MD2 or DES encryption algorithm. This method allows for each authentication message to be unique for each subscriber and for each transaction. For example, performing MD2(KCARD+transaction number) produces a unique base 10 number. The next transaction increments the transaction number by 1, and thereby produces a different base 10 number, which is not simply the first security code plus one. This provides increased security against fraud, since even if someone has access to one security code, this will not authorize future transactions.
The authentication message is decrypted using the KCARD key and the MD2 or DES algorithm. The decryption key KCARD is generated for each transaction, so that there is no need for transferring this data. The transaction number contained in the authentication message is then referenced to validate the transaction. This is to prevent duplicate transactions. The authentication server may use a transaction number “window” to authorize each transaction in order to accommodate transactions being processed out of order. For example, transactions that are plus five transaction numbers from the current count may be approved.
The smart card or wallet incorporating the present invention must be initialized prior to use in order to store the KDOMAIN value and the user's fingerpint data. This step may be performed at a user's local bank branch, as is currently done to initialize ATM PIN numbers.
Those skilled in the art will appreciate that various adaptations and modifications of the just-described preferred embodiments can be configured without departing from the scope and spirit of the invention. Therefore, it is to be understood that, within the scope of the appended claims, the invention may be practiced other than as specifically described herein.
|Cited Patent||Filing date||Publication date||Applicant||Title|
|US4438824 *||Apr 22, 1981||Mar 27, 1984||Siemens Corporation||Apparatus and method for cryptographic identity verification|
|US4851654 *||May 27, 1988||Jul 25, 1989||Kabushiki Kaisha Toshiba||IC card|
|US4879747 *||Mar 21, 1988||Nov 7, 1989||Leighton Frank T||Method and system for personal identification|
|US5317636 *||Dec 9, 1992||May 31, 1994||Arris, Inc.||Method and apparatus for securing credit card transactions|
|US5623552 *||Aug 15, 1995||Apr 22, 1997||Cardguard International, Inc.||Self-authenticating identification card with fingerprint identification|
|US5770849 *||Aug 23, 1996||Jun 23, 1998||Motorola, Inc.||Smart card device with pager and visual image display|
|US5790668 *||Dec 19, 1995||Aug 4, 1998||Mytec Technologies Inc.||Method and apparatus for securely handling data in a database of biometrics and associated data|
|US5815252 *||Nov 21, 1995||Sep 29, 1998||Canon Kabushiki Kaisha||Biometric identification process and system utilizing multiple parameters scans for reduction of false negatives|
|US5857079 *||Dec 23, 1994||Jan 5, 1999||Lucent Technologies Inc.||Smart card for automatic financial records|
|US6012636 *||Apr 22, 1997||Jan 11, 2000||Smith; Frank E.||Multiple card data system having first and second memory elements including magnetic strip and fingerprints scanning means|
|US6016963 *||Jan 23, 1998||Jan 25, 2000||Mondex International Limited||Integrated circuit card with means for performing risk management|
|US6069970 *||Apr 27, 1999||May 30, 2000||Authentec, Inc.||Fingerprint sensor and token reader and associated methods|
|US6098330 *||May 16, 1997||Aug 8, 2000||Authentec, Inc.||Machine including vibration and shock resistant fingerprint sensor and related methods|
|US6163771 *||Aug 28, 1997||Dec 19, 2000||Walker Digital, Llc||Method and device for generating a single-use financial account number|
|US6282649 *||Jul 14, 1998||Aug 28, 2001||International Business Machines Corporation||Method for controlling access to electronically provided services and system for implementing such method|
|US6507912 *||Jan 27, 1999||Jan 14, 2003||International Business Machines Corporation||Protection of biometric data via key-dependent sampling|
|US6547130 *||Aug 4, 1999||Apr 15, 2003||Ming-Shiang Shen||Integrated circuit card with fingerprint verification capability|
|US6662166 *||Jun 11, 2001||Dec 9, 2003||Indivos Corporation||Tokenless biometric electronic debit and credit transactions|
|US6715679 *||Sep 8, 1999||Apr 6, 2004||At&T Corp.||Universal magnetic stripe card|
|US6745936 *||Aug 23, 1996||Jun 8, 2004||Orion Systems, Inc.||Method and apparatus for generating secure endorsed transactions|
|US6775398 *||Dec 27, 1999||Aug 10, 2004||International Business Machines Corporation||Method and device for the user-controlled authorisation of chip-card functions|
|US6776332 *||Dec 26, 2002||Aug 17, 2004||Micropin Technologies Inc.||System and method for validating and operating an access card|
|US6816058 *||Apr 26, 2001||Nov 9, 2004||Mcgregor Christopher M||Bio-metric smart card, bio-metric smart card reader and method of use|
|US6901375 *||Apr 27, 2001||May 31, 2005||Xtec, Incorporated||Methods and apparatus for electronically storing and retrieving value information on a portable card|
|US6954133 *||Dec 19, 2001||Oct 11, 2005||Mcgregor Travis M||Bio-metric smart card, bio-metric smart card reader, and method of use|
|US6957337 *||Aug 11, 1999||Oct 18, 2005||International Business Machines Corporation||Method and apparatus for secure authorization and identification using biometrics without privacy invasion|
|US20010016827 *||Apr 27, 2001||Aug 23, 2001||Alberto Fernandez||Methods and apparatus for electronically storing and retreiving value information on a portable card|
|US20020148892 *||Feb 22, 2002||Oct 17, 2002||Biometric Security Card, Inc.||Biometric identification system using biometric images and personal identification number stored on a magnetic stripe and associated methods|
|US20020153424 *||Apr 19, 2001||Oct 24, 2002||Chuan Li||Method and apparatus of secure credit card transaction|
|US20020180584 *||Dec 19, 2001||Dec 5, 2002||Audlem, Ltd.||Bio-metric smart card, bio-metric smart card reader, and method of use|
|US20020181584 *||Mar 13, 2002||Dec 5, 2002||Patrice Alexandre||Method and device for controlling the quality of video data|
|US20030074317 *||Oct 15, 2001||Apr 17, 2003||Eyal Hofi||Device, method and system for authorizing transactions|
|US20030106935 *||Nov 19, 2002||Jun 12, 2003||Burchette Robert L.||Transaction card system having security against unauthorized usage|
|US20030111527 *||Dec 6, 2000||Jun 19, 2003||George Blossom||Selectable multi-purpose card|
|US20030145203 *||Jan 30, 2002||Jul 31, 2003||Yves Audebert||System and method for performing mutual authentications between security tokens|
|US20030150907 *||Oct 19, 2001||Aug 14, 2003||Metcalf Jonathan H.||System for vending products and services using an identification card and associated methods|
|US20040030660 *||Jul 3, 2003||Feb 12, 2004||Will Shatford||Biometric based authentication system with random generated PIN|
|US20040050930 *||Sep 17, 2002||Mar 18, 2004||Bernard Rowe||Smart card with onboard authentication facility|
|US20040124246 *||Dec 26, 2002||Jul 1, 2004||Allen Greggory W. D.||System and method for validating and operating an access card|
|US20040154013 *||Jan 16, 2003||Aug 5, 2004||Sun Microsystems, Inc., A Delaware Corporation||Using a digital fingerprint to commit loaded data in a device|
|US20040188519 *||Mar 31, 2003||Sep 30, 2004||Kepler, Ltd. A Hong Kong Corporation||Personal biometric authentication and authorization device|
|US20050144484 *||Feb 14, 2002||Jun 30, 2005||Hironori Wakayama||Authenticating method|
|US20050188213 *||Feb 23, 2004||Aug 25, 2005||Xiaoshu Xu||System for personal identity verification|
|US20050287987 *||Jun 7, 2005||Dec 29, 2005||Nec Corporation||Contents data utilization system and method, and mobile communication terminal used for the same|
|US20060095369 *||Dec 19, 2005||May 4, 2006||Eyal Hofi||Device, method and system for authorizing transactions|
|US20060150211 *||Dec 29, 2005||Jul 6, 2006||Swisscom Mobile Ag||Method and terminal for limited-access receiving of data as well as remote server|
|US20060224508 *||Mar 30, 2006||Oct 5, 2006||Fietz Guy D||Online debit cardless debit transaction system and method|
|US20060229988 *||Jan 21, 2003||Oct 12, 2006||Shunichi Oshima||Card settlement method using portable electronic device having fingerprint sensor|
|US20060267727 *||Jul 21, 2006||Nov 30, 2006||Jordan Cayne||Intelligent locking system using biometrics|
|Citing Patent||Filing date||Publication date||Applicant||Title|
|US7360710 *||Apr 16, 2007||Apr 22, 2008||Target Brands, Inc.||Stored-value card with chamber|
|US7578437 *||Oct 13, 2005||Aug 25, 2009||Industrial Technology Research Institute||Display-enabled electronic system|
|US7581678||Feb 22, 2005||Sep 1, 2009||Tyfone, Inc.||Electronic transaction card|
|US7770802||Oct 13, 2008||Aug 10, 2010||Target Brands, Inc.||Stored-value card with multiple member housing|
|US7805615||Jul 15, 2005||Sep 28, 2010||Tyfone, Inc.||Asymmetric cryptography with user authentication|
|US7810165 *||Jun 18, 2007||Oct 5, 2010||Visa U.S.A. Inc.||Portable consumer device configured to generate dynamic authentication data|
|US7818264||Jun 12, 2007||Oct 19, 2010||Visa U.S.A. Inc.||Track data encryption|
|US7819322||Jun 18, 2007||Oct 26, 2010||Visa U.S.A. Inc.||Portable consumer device verification system|
|US7828214||Aug 11, 2009||Nov 9, 2010||Tyfone, Inc.||Mobile phone with electronic transaction card|
|US7954715||Nov 8, 2010||Jun 7, 2011||Tyfone, Inc.||Mobile device with transaction card in add-on slot|
|US7954716||Dec 8, 2010||Jun 7, 2011||Tyfone, Inc.||Electronic transaction card powered by mobile device|
|US7954717||Dec 8, 2010||Jun 7, 2011||Tyfone, Inc.||Provisioning electronic transaction card in mobile device|
|US7961101||Aug 8, 2008||Jun 14, 2011||Tyfone, Inc.||Small RFID card with integrated inductive element|
|US7991158||Aug 24, 2007||Aug 2, 2011||Tyfone, Inc.||Secure messaging|
|US8078885||Jul 14, 2008||Dec 13, 2011||Innovation Investments, Llc||Identity authentication and secured access systems, components, and methods|
|US8091786||May 24, 2011||Jan 10, 2012||Tyfone, Inc.||Add-on card with smartcard circuitry powered by a mobile device|
|US8189788||Jul 15, 2005||May 29, 2012||Tyfone, Inc.||Hybrid symmetric/asymmetric cryptography with user authentication|
|US8275995||Nov 23, 2011||Sep 25, 2012||Department Of Secure Identification, Llc||Identity authentication and secured access systems, components, and methods|
|US8352369||Jan 12, 2001||Jan 8, 2013||Harris Intellectual Property, Lp||System and method for pre-verifying commercial transactions|
|US8375441 *||Sep 1, 2010||Feb 12, 2013||Visa U.S.A. Inc.||Portable consumer device configured to generate dynamic authentication data|
|US8380628||Jul 17, 2000||Feb 19, 2013||Harris Intellectual Property, Lp||System and method for verifying commercial transactions|
|US8439268||Jul 26, 2010||May 14, 2013||Target Brands, Inc.||Stored-value card with multiple member housing|
|US8474718||Mar 21, 2012||Jul 2, 2013||Tyfone, Inc.||Method for provisioning an apparatus connected contactless to a mobile device|
|US8477940||Jul 15, 2005||Jul 2, 2013||Tyfone, Inc.||Symmetric cryptography with user authentication|
|US8573494||Nov 27, 2011||Nov 5, 2013||Tyfone, Inc.||Apparatus for secure financial transactions|
|US8640963 *||Jan 3, 2011||Feb 4, 2014||Target Brands, Inc.||Transaction product with electrical circuit|
|US8757498||May 13, 2013||Jun 24, 2014||Target Brands, Inc.||Stored-value card with multiple member housing|
|US8794532 *||Dec 29, 2008||Aug 5, 2014||Mastercard International Incorporated||Methods and apparatus for use in association with identification token|
|US9065643||Jun 25, 2008||Jun 23, 2015||Visa U.S.A. Inc.||System and method for account identifier obfuscation|
|US9092708||Apr 7, 2015||Jul 28, 2015||Tyfone, Inc.||Wearable device with time-varying magnetic field|
|US20020007345 *||Jan 12, 2001||Jan 17, 2002||Harris David N.||System and method for pre-verifying commercial transactions|
|US20050269401 *||Jun 3, 2005||Dec 8, 2005||Tyfone, Inc.||System and method for securing financial transactions|
|US20050269402 *||Jun 3, 2005||Dec 8, 2005||Tyfone, Inc.||System and method for securing financial transactions|
|US20100163616 *||Dec 29, 2008||Jul 1, 2010||Simon Phillips||Methods and apparatus for use in association with identification token|
|US20110066516 *||Mar 17, 2011||Ayman Hammad||Portable Consumer Device Configured to Generate Dynamic Authentication Data|
|US20110099106 *||Apr 28, 2011||Target Brands, Inc.||Transaction product with electrical circuit|
|US20110161229 *||Jun 30, 2011||First Data Corporation||Systems and methods for processing a contactless transaction card|
|WO2007149830A2 *||Jun 19, 2007||Dec 27, 2007||Visa Int Service Ass||Portable consumer device configured to generate dynamic authentication data|
|WO2013114364A1 *||Jan 30, 2013||Aug 8, 2013||KARAKOP, Rahamim||Safe card|
|U.S. Classification||235/439, 235/380|
|International Classification||G05B19/042, G07C9/00, G07F7/10|
|Cooperative Classification||H04L9/0866, G05B2219/24167, G06Q20/341, G06Q20/4097, G06Q20/385, G05B19/0425, G07C9/00087, G07C2009/00095, G05B2219/24162, G07F7/0886, G06Q20/3415, G07F7/1008, G06Q20/40145, G05B2219/25192, G05B2219/23342|
|European Classification||G06Q20/385, G06Q20/3415, G06Q20/40145, G06Q20/4097, G06Q20/341, G07F7/08G2P, G07C9/00B6D4, G05B19/042N1, G07F7/10D|